Announcing the 2025 State of Backstage report

Fetch Azure resources via ARM REST API

Published on March 18th, 2026

Overview

This recipe shows how to query the Azure Resource Manager (ARM) REST API from a Roadie scaffolder template. Authentication is handled automatically by Roadie using OAuth 2.0 client credentials — there is no need to manage or rotate tokens in your template.

Prerequisites

The following secrets must be configured in your Roadie instance:

SecretDescription
AZURE_CLIENT_IDApplication (client) ID of the Azure service principal
AZURE_CLIENT_SECRETClient secret for the service principal
AZURE_TENANT_IDDirectory (tenant) ID of your Azure Active Directory

The service principal must have at minimum the Reader role on the subscriptions or resource groups you wish to query.

Actions used

  • http:backstage:request — routes the ARM API call through the Roadie integrations backend, which fetches and refreshes the OAuth token automatically.

How to find your Azure identifiers

  • Subscription ID — in the Azure portal, open Subscriptions and copy the ID from the list.
  • Resource Group Name — in the Azure portal, open Resource groups and copy the name.
  • Tenant ID — run az account show --query tenantId -o tsv in the Azure CLI, or find it under Azure Active Directory → Properties → Tenant ID in the portal.

Template

yaml
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
  name: azure-arm-list-resources
  title: List Azure Resources
  description: >
    Lists all resources in an Azure resource group using the ARM REST API.
    Requires AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID to be
    configured in Roadie.
spec:
  owner: roadie
  type: service

  parameters:
    - title: Azure Resource Details
      required:
        - subscriptionId
        - resourceGroupName
      properties:
        subscriptionId:
          title: Subscription ID
          type: string
          description: The Azure subscription ID to query
        resourceGroupName:
          title: Resource Group Name
          type: string
          description: The name of the resource group to list resources in

  steps:
    - id: list-resources
      name: List Azure Resources
      action: http:backstage:request
      input:
        method: POST
        path: /integrations/azure-arm/request
        headers:
          content-type: application/json
        body:
          backendType: http
          method: GET
          path: >-
            /subscriptions/${{ parameters.subscriptionId }}/resourceGroups/${{ parameters.resourceGroupName }}/resources?api-version=2024-11-01

  output:
    text:
      - title: Response Code
        content: '`${{ steps["list-resources"].output.code }}`'
      - title: Resources
        content: '`${{ steps["list-resources"].output.body }}`'

How it works

  1. The http:backstage:request action sends a POST to /integrations/azure-arm/request — the Roadie integrations backend endpoint for the pre-configured azure-arm integration.
  2. The integrations backend uses the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID secrets to obtain a short-lived OAuth 2.0 bearer token from https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with scope https://management.azure.com/.default.
  3. The token is cached and refreshed automatically — your template never touches credentials directly.
  4. The actual ARM GET request is forwarded to https://management.azure.com with the bearer token attached, and the response is returned to the template output.

Further reading